oss-sec mailing list archives

Re: Path traversal flaws in awstats 7.6 and earlier.

From: John Lightsey <jd () cpanel net>
Date: Sat, 6 Jan 2018 12:25:09 -0600

On 1/6/18 3:33 AM, Hanno Böck wrote:

On Wed, 27 Dec 2017 09:21:41 -0600
John Lightsey <jd () cpanel net> wrote:

The cPanel Security Team discovered two path traversal flaws in
awstats that could be leveraged for unauthenticated remote code
execution.


On
https://awstats.sourceforge.io/#DOWNLOAD
the latest version is still 7.6
On the github repo you linked the latest version is 7.5.

Are you in contact with the developers? It's not exactly ideal that
there's a publicly known remote code execution and there is no new
release containing the fix.


I'd agree with you there. Whenever we report security issues to upstream
developers, we have no control over the process they use to resolve the
issue.

In this case, the upstream author committed a partial fix to a public
repo soon after we reported the problem. In my view, whenever an
upstream author does this, you just consider the issue to be public
whether or not official releases or announcements have been made.

I'll pass your feedback along to the upstream author though.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: Path traversal flaws in awstats 7.6 and earlier. Hanno Böck (Jan 06)
- Re: Path traversal flaws in awstats 7.6 and earlier. John Lightsey (Jan 06)
- Re: Path traversal flaws in awstats 7.6 and earlier. Stefan Pietsch (Jan 07)